Arkime includes tools for capturing and indexing PCAP traffic, and also provides tools for quick access to indexed data. The use of a standard PCAP format greatly simplifies integration with existing traffic analyzers such as Wireshark. The volume of stored data is limited only by the size of the available disk array. Session metadata is indexed in a cluster based on the Elasticsearch or OpenSearch engine. The traffic capture component operates in multi-threaded mode and solves the tasks of monitoring, writing PCAP dumps to disk, parsing captured packets and sending metadata about sessions (SPI, Stateful packet inspection) and protocols to the Elasticsearch/OpenSearch cluster. It is possible to store PCAP files in encrypted form.
To analyze the accumulated information, a web interface is offered that allows you to navigate, search and export samples. The web interface provides several viewing modes – from general statistics, connection maps and visual graphs with data on changes in network activity to tools for studying individual sessions, analyzing activity in the context of the protocols used and parsing data from PCAP dumps. Also provided APIwhich allows you to transfer data about captured packets in PCAP format and parsed sessions in JSON format to third-party applications.
In the new version:
- Added the ability to send combined search requests for information through the service Cont3xt for collection available in various open sources (OSINT) information about several objects simultaneously.
- Added support for traffic fingerprinting methods JA4 And JA4+ to define network protocols and applications.
- The design of the block with detailed information about the session has been changed, which minimizes unused space and implements a two-column layout for large screens.
- Drop-down blocks have been added to the Files, History and Stats tabs for searching simultaneously in several instances of the interface for viewing statistics (Viewer).
- The authorization system has been unified and separated into a separate module, which is now used in all Arkime applications. Instead of the anonymous authorization mode, the digest method is used by default. New ones added authorization modes: basic, form, basic+form, basic+oidc, headerOnly, header+digest and header+basic.
- All applications have been transferred to a unified configuration subsystem that supports processing settings in different formats (ini, json, yaml) and is capable of loading settings from different sources, for example, from disk, over the network via HTTPS or from OpenSearch/Elasticsearch.
- Added support for importing saved (offline) PCAP dumps and downloading them via URL via HTTPS or from Amazon S3 storage, without the need to first save them on the local system.
Thanks for reading: